ipmi: Inquiry Regarding IPMI User Password Testing
vernon.mauery at linux.intel.com
vernon.mauery at linux.intel.com
Tue Nov 14 08:20:13 AEDT 2023
On 09-Nov-2023 08:06 AM, Jerry Wan (萬祐嘉) wrote:
>Hi Vernon,
>
>
>We recently conducted some tests on phosphor-ipmi-host and found that the user password test command doesn't appear to be compliant with the IPMI specification.
>
>We used a 20-byte password testing command to validate a 16-byte password, and it passed the test. However, according to the IPMI specification, I think the above test combination should return a failure.(Please refer to IPMI spec 22.30-Set User Password Command, page 313)
>
>Here is the testing procedure:
>
> 1. Change the user password with a 16-byte flag.
>root at evb:~# ipmitool user set password 5 Passw0rd 16
>Set User Password command successful (user 5)
>
> 2.
>Use a 16-byte testing command to validate the correct password: Pass
>root at evb:~# ipmitool user test 5 16 Passw0rd
>Success
>
> 3.
>Use a 20-byte testing command to validate the correct password: Pass <== I think this should be a Fail
>root at gms:~# ipmitool user test 5 20 Passw0rd
>Success
>
>Could you please confirm if my understanding is correct?
Jerry,
The openbmc platform doesn't keep track of how the passwords were set
(whether with the 16 or 20 byte flag). So the behavior you showed is
expected.
When you set a password, the flag is there just because the IPMI
specification had to add it for backwards compatibility with IPMI-1.5.
But really, the same underlying code is called with either the 16 or 20
byte buffer.
If the password matches, the password matches. The only thing
you can't do is attempt to set a 20-byte password and then attempt to
authenticate with only the first 16 bytes.
--Vernon
More information about the openbmc
mailing list